Privacy in Statistical Databases

Privacy in statistical databases is a discipline whose purpose is to provide so- tionstothetensionbetweenthesocial,political,economicandcorporatedemand for accurate information, and the legal and ethical obligation to protect the p- vacy of the various parties involved. Those parties are the respondents (the individuals and enterprises to which the database records refer), the data o- ers (those organizations spending money in data collection) and the users (the ones querying the database or the search engine, who would like their queries to stay con?dential). Beyond law and ethics, there are also practical reasons for data-collecting agencies and corporations to invest in respondent privacy: if individual respondents feel their privacy guaranteed, they are likely to provide moreaccurateresponses. Data ownerprivacyis primarilymotivatedbypractical considerations: if an enterprise collects data at its own expense, it may wish to minimize leakage of those data to other enterprises (even to those with whom joint data exploitation is planned). Finally, user privacy results in increaseduser satisfaction, even if it may curtail the ability of the database owner to pro?le users. Thereareatleasttwotraditionsinstatisticaldatabaseprivacy,bothofwhich started in the 1970s: the ?rst one stems from o?cial statistics, where the dis- pline is also known as statistical disclosure control (SDC), and the second one originates from computer science and database technology. In o?cial statistics, the basic concern is respondent privacy. In computer science, the initial mo- vation was also respondent privacy but, from 2000 onwards, growing attention has been devoted to owner privacy (privacy-preserving data mining) and user privacy (private informationretrieval).